feat: auth middleware, brain data layer, Valkey queue (P1-002/003/004) (#71)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

apps/gateway/src/auth/auth.controller.ts

@@ -0,0 +1,20 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+import { All, Controller, Inject, Req, Res } from '@nestjs/common';
+import type { FastifyReply, FastifyRequest } from 'fastify';
+import { toNodeHandler } from 'better-auth/node';
+import type { Auth } from '@mosaic/auth';
+import { AUTH } from './auth.module.js';
+
+@Controller('api/auth')
+export class AuthController {
+  private readonly handler: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
+
+  constructor(@Inject(AUTH) auth: Auth) {
+    this.handler = toNodeHandler(auth);
+  }
+
+  @All('*path')
+  async handleAuth(@Req() req: FastifyRequest, @Res() res: FastifyReply): Promise<void> {
+    await this.handler(req.raw, res.raw);
+  }
+}

apps/gateway/src/auth/auth.guard.ts

@@ -0,0 +1,32 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  Inject,
+  Injectable,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { fromNodeHeaders } from 'better-auth/node';
+import type { Auth } from '@mosaic/auth';
+import type { FastifyRequest } from 'fastify';
+import { AUTH } from './auth.module.js';
+
+@Injectable()
+export class AuthGuard implements CanActivate {
+  constructor(@Inject(AUTH) private readonly auth: Auth) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest<FastifyRequest>();
+    const headers = fromNodeHeaders(request.raw.headers);
+
+    const result = await this.auth.api.getSession({ headers });
+
+    if (!result) {
+      throw new UnauthorizedException('Invalid or expired session');
+    }
+
+    (request as FastifyRequest & { user: unknown; session: unknown }).user = result.user;
+    (request as FastifyRequest & { user: unknown; session: unknown }).session = result.session;
+
+    return true;
+  }
+}

apps/gateway/src/auth/auth.module.ts

@@ -0,0 +1,26 @@
+import { Global, Module } from '@nestjs/common';
+import { createAuth, type Auth } from '@mosaic/auth';
+import type { Db } from '@mosaic/db';
+import { DB } from '../database/database.module.js';
+import { AuthController } from './auth.controller.js';
+
+export const AUTH = 'AUTH';
+
+@Global()
+@Module({
+  providers: [
+    {
+      provide: AUTH,
+      useFactory: (db: Db): Auth =>
+        createAuth({
+          db,
+          baseURL: process.env['BETTER_AUTH_URL'] ?? 'http://localhost:4000',
+          secret: process.env['BETTER_AUTH_SECRET'],
+        }),
+      inject: [DB],
+    },
+  ],
+  controllers: [AuthController],
+  exports: [AUTH],
+})
+export class AuthModule {}

apps/gateway/src/auth/current-user.decorator.ts

@@ -0,0 +1,7 @@
+import { createParamDecorator, type ExecutionContext } from '@nestjs/common';
+import type { FastifyRequest } from 'fastify';
+
+export const CurrentUser = createParamDecorator((_data: unknown, ctx: ExecutionContext) => {
+  const request = ctx.switchToHttp().getRequest<FastifyRequest & { user?: unknown }>();
+  return request.user;
+});